How to set up stress-free SSL on an OS X development machine (opens in new tab)

(gist.github.com)

103 pointsdltj11y ago22 comments

22 comments

22 comments · 12 top-level

fideloper11y ago· 5 in thread

Only gripe is being told to match Dev with production ... And then develop on Mac OS.

Virtual machines are a much cleaner and nicer way to do this. Setting up a wildcard SSL is similarly as simple, an you get the bonus of learning how to do it on a "real" (normal, more standard) server.

Example setting up wildcard subdomain SSL cert (self-signed): https://serversforhackers.com/ssl-certs/

jedschmidt11y ago

Having gotten more accustomed to the VM approach over the past year since I wrote this post, I agree.

dltjOP11y ago

Thanks for leaving your Gist up there describing the process, Jed. I do some work in VMs, but still found it very useful.

andre3k111y ago

Hi Jed, I was wondering what your VM box looks like? Any cool tools you would recommend?

eosrei11y ago

The development process is much less complicated when you only consider a single OS. The answer to: "How do I do this?" is always the same; a significant time/brain savings.

Argorak11y ago

Also, if you develop for multiple clients, projects don't bleed into each other.

"Well, client X still uses PG 9.1, but I accidentally used a 9.3 feature, because thats what client Y uses."

pbreit11y ago· 3 in thread

I didn't see self-signed certs as an alternative. Isn't that a common and reasonable approach?

philfreo11y ago

This describes setting up a self-signed cert

pbreit11y ago

Oops! I read the 3 alternatives and didn't see self-signed certs, which seemed sorta obvious to me. Then skimmed a bit further and saw all sorts of other things and not really any specific mention of self-signed certs. My bad.

mmagin11y ago

I find it kind of ridiculous that making a self-signed cert is still that hard.

iancarroll11y ago· 2 in thread

Keychain Access makes creating a certificate authority very easy - you might as well just use that...

Besides, I don't understand why you would choose not to trust the certificate, then click it and choose to trust it...

tbyehl11y ago

For the non-OS X crowd, XCA is a really simple GUI for managing your own CA. Just about everything I have that can use an SSL certificate has one that all of my machines trust.

http://xca.sourceforge.net/

junkblocker11y ago

Also, xca works just fine on OS X too.

daurnimator11y ago

I use ngrok (https://ngrok.com/), which tunnels a local port and makes it available over ssl on an ngrok.com subdomain.

Makes it easy to develop from any machine, and even allows me to check it out from other machines. Including things like browserling.

On top of that, it can record and replay requests for you as you debug.

bensummers11y ago

I use multicast DNS so that my server in a development VM can automatically publish a hostname to the host for testing.

http://bens.me.uk/2013/multicast-dns-and-development-virtual...

This is especially useful as my application is multi-tenant, where you can potentially use lots of different hostnames.

I'm wary of trusting a development certificate on my development machines. One slight misconfiguration, and you've got a CA with a well-known private key which can be used to generate certificates for any name. Which would be very useful for MITMing a rather important machine.

I accept the inconvenience of having to click through the warnings, with conscious awareness of what I'm doing to avoid training myself to ignore them. I'm not entirely sure which is the bigger risk.

geofft11y ago

/etc/resolver is pretty cool. I wish it were better-documented / better-known. (I guess `man 5 resolver` documents it.)

I also wish glibc had something similar.

climaxius11y ago

Instead of dnsmasq you can also use https://github.com/robbiev/devdns

e28eta11y ago

Pow is a nice project for handling DNS resolution and forwarding a specific name to a service running on a non-standard port.

I've put Apache with a wildcard cert (& local CA) in front of it to handle SSL termination.

It's very similar to the technique from the article, but I've found the ability to serve requests on the default port to be convenient.

arthurk11y ago

If you're using Django, check out the runserver_plus command from django-extensions: http://django-extensions.readthedocs.org/en/latest/runserver...

lvturner11y ago

I wrote https://www.npmjs.com/package/crisp a while back, which simplifies a lot of this, it generates a self-signed cert and starts a web server in one move

evadne11y ago

I usually just use https://github.com/jugyo/tunnels.

kevinburke11y ago

fyi - I know it's a pain but before I got comfortable with unbound/dnsmasq I wrote a thing to edit your /etc/hosts file, which makes it not quite as painful to deal with.

https://github.com/kevinburke/hostsfile

j / k navigate · click thread line to collapse